Kitz Forum
Broadband Related => Broadband Hardware => Topic started by: Antonios on December 18, 2019, 09:18:52 AM
-
Hello Friends,
Can router be infected? I am getting a popup from my AV program that my router could be infected. Any idea what might be going on?
-
A router itself can't be infected.
A router could be open to vulnerabilities, but that is something someone has to openly try and exploit.
In some cases, you get some spam/pop-up scam effort to try and extort money out of you because it will make you believe you have an issue, when in fact, you likely don't. This is commonplace these days to try and extract money out from people who wouldn't know better/have the foresight to ask folks who do know...
However, as this is from an AV - I'd still be suspicious. What AV is it?
-
A router can be infected. It's quite possible for someone to get their malicious software into a router and get the router to execute it. I don't think any typical AV program would be able to accurately determine if that had actually happened.
-
I wonder if your AV is genuine AV or some fake stuff. Is it trying to sell you something when it claims your router is infected?
-
My own understanding is there’s a middle ground whereby a router’s firmware has not been ‘infected’ in the traditional sense yet a router vulnerability has been exploited that allowed, for example, default DNS settings to be reconfigured with malicious intent.
I would have thought an AV might be able to detect that scenario by testing specific DNS resolutions. For example, if a .gov.uk address resolves to an IP normally associated with the Kremlin, the AV might want to alert the user to the possibility that something unsavoury is afoot.
I wonder if your AV is genuine AV or some fake stuff. Is it trying to sell you something when it claims your router is infected?
Yes, that too!
-
A router can be "compromised". Infected would mean a resident rootkit. Since many router's use some form of linux, and linux can be rootkit'd, then yes they can be infected.
As long as the router doesnt allow any connections from the WAN then its very unlikely it can happen, it would have to be done from the LAN side which means they need to compromise your LAN first.
-
Best thing to do delete the AV program, run Trend Micro Housecall (https://www.trendmicro.com/en_us/forHome/products/housecall.html) or similar tools (https://kitz.co.uk/tech/help.htm)
-
I also found this post which depicts my scenario. is this really possible what it says here (https://silicophilic.com/avast-says-my-router-is-infected/)?
-
I'm curious how Avast are detecting this. I can only imagine they are checking certain DNS results from the router against lookups from a known-good DNS server and doing a comparison. Depending on how clever this is it could easily trip up if your ISP has some form of web filtering via DNS.
While DNS hijacking is serious and something you don't want to happen, I fail to see how something like Avast can reliably detect it.
-
Either its some kind of fake warning, or yeah they look for what could be perceived as tell tale signs. Maybe they check for backdoor ports of known rootkits, rogue dns results, if avast has a firewall thats enabled, they might even log a port scan coming from the router.
-
Either its some kind of fake warning, or yeah they look for what could be perceived as tell tale signs. Maybe they check for backdoor ports of known rootkits, rogue dns results, if avast has a firewall thats enabled, they might even log a port scan coming from the router.
Looking at their website, it doesn't sound like it.
All they seem to tell you to do to "fix it", is reset DNS to ISP provided or set it to Google DNS and turn off DDNS.
-
I used to use Avast in the past but it seems to have become "Scare ware" now by flagging up problems which require you to buy the most expensive version before it's happy.
:-X :-X :-X
Uninstall Avast and put https://www.quad9.net by putting 9.9.9.9 as your primary DNS and 149.112.112.112 for secondary in your router and change your password.
I have read that routers can be infected, but this mainly occurs with isp supplied devices which all have default passwords etc https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/
-
Looking at their website, it doesn't sound like it.
All they seem to tell you to do to "fix it", is reset DNS to ISP provided or set it to Google DNS and turn off DDNS.
Hence the "maybe" :) I doubt a consumer router wouldnt be doing anything like actual proper checks, I would expect its either false or dns related as you said.